Here's what PCSTATS discovered... and I might note that
no other hardware "review" website to test the SuperTalent Luxio picked up
on any of these obvious issues as of this articles' publication. Just another
reason why you should always Get the 'STATS and Stay Informed!
Bug 1) How To Loose Ownership of the Encryption
Here's how PCSTATS did it. Pop the SuperTalent Luxio
drive into a USB slot, launch the SecureLock software and set up the
private partition and initial password to (1). Log out by removing the
Luxio from the USB slot.
Re-insert the Luxio and unlock the drive by
typing in the correct password (1) in the SecureLock application.
With the Luxio drive
unlocked it's now possible
go to the "Change Password" form and set a new password to
(2) without entering anything in the first "Old Password" field (enter 2 in
all the other fields).
- Unplug the Luxio drive and then
Launch SecureLock and attempt to unlock the drive with the new (and
unauthorized) password of (2) - the Luxio unlocks!
In other words, if you walk away from your
PC for a moment and leave the Supertalent Luxio plugged in and
unlocked, anyone can open up the SecureLock application and change
the password of your encrypted USB drive to something entirely new without
proving they are authorized to do so.
Even Windows challenges user account password
changes by demanding the original password! Yikes!
Bug 2) Wrong Password / Right Password =
Formatted Partition Bug:
Here's what PCSTATS found. Launch the SecureLock software and set
up a private partition on the Supertalent Luxio with password set to
- Login once to confirm the password works, unplug Luxio USB
drive and re-insert it, or simply log off.
Attempt to unlock the drive
through SecureLock in the normal way, but enter an incorrect
password three times in a row.
- Enter the correct password on
the fourth attempt and watch in horror as the Luxio continues to decline the
password even though it's now correct!
If you enter the correct password on the fifth and sixth attempts it will
still reject it. On the sixth attempt, regardless if
the password is correct, the USB drive will automatically format itself and erase all
your data. (Except when Bug 4 happens.)
The only way to escape from this programming Catch-22
is to unplug the USB drive before the format warning,
plug it back in and login anew with the correct password. This leads into
PCSTATS third and fourth major bug discoveries below.
Bug 3) Unlimited Log In Attempts
for Brute Force Password Hacking:
The Luxio USB drive is supposed to
reset itself and format all data on the private partition after five failed log in attempts. If you can believe it, anyone can
circumvent the five failed login attempts. Here's how PCSTATS did it. Simply unplug the
drive, plug it back in and open up the login window again. Each time
the login window is closed the 'failed login attempts'
counter seems to reset to 0, so an individual could easily apply
brute force password cracking to breach your password.
Not that everyone
needs to go to such measures, if the private partition on the Luxio
is set to greater than 32GB all you need to do is login
incorrectly a half-dozen times... Yup, we're not kidding.
Bug 4) Circumvent The Password -
Gain Full Access to "Encrypted" Data in 10
According to the SuperTalent Luxio product FAQ - "After
five consecutive incorrect password attempts the Luxio will automatically
reformat itself and all data on the Luxio will be lost. This feature helps
protect your data should your Luxio be lost or stolen." Makes sense, otherwise any individual
could apply a brute force password hacking tool to crack your password, which
is probably something simple like "123456" anyhow.
Well unfortunately for
Luxio owners this doesn't always happen. In fact, all the SuperTalent
Luxio encryption measures can be circumvented very easily. Here's how PCSTATS did it with
the 64GB Luxio drive we tested in our labs. Purposefully make six incorrect login attempts
in a row, provided the private partition is between 33-64GB in size. After
the sixth you get full file access. If the private partition is 32GB
or less , the drive will automatically
format the partition after the last failed login attempt as it is
supposed to, erasing all the data it holds.
I'd hazard a guess that
the SecureLock application was programmed when 32GB was the maximum
USB drive size, so for sizes greater than this its format command
fails to engage. A mind boggling oversight isn't it?
These are the steps PCSTATS
- Launch the SecureLock software
and create a private partition between 33-64GB in size and set
the password to (1).
- Login once to confirm the password works, and log
Attempt to unlock the drive through SecureLock by
entering an incorrect password six times in a row.
- By the sixth
attempt the SecureLock software will tell you that it is
Formatting the private partition and erasing all the data it contained -
except that it doesn't actually erase the partition.
- Instead SecureLock disables the password protection on
what should be a freshly formatted partition!
The end result is that it only takes six incorrect
password attempts to circumvent AES-256 encryption and allow anyone to access to
the encrypted files (for partitions of 33GB-to-64GB size). This
is such a fundamental programming bug that it makes us seriously question
just what "encryption" is actually applied on the SuperTalent Luxio.
USB Speed Tests
PCSTATS will benchmark this USB flash drive with and
without its "hardware encryption" engaged to see what kind of data transfer
speeds we can expect from the SuperTalent Luxio.